Update packages/server/api/src/app/authentication/context/access-token-manager.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: MarceloRGonc

packages/server/api/src/app/authentication/context/access-token-manager.ts

@@ -36,6 +36,14 @@ export const accessTokenManager = {
     expiresInSeconds: number = openOpsRefreshTokenLifetimeSeconds,
   ): Promise<string> {
     const principal = await this.extractPrincipal(userToken);
+    if (principal.type !== PrincipalType.USER) {
+      throw new ApplicationError({
+        code: ErrorCode.INVALID_BEARER_TOKEN,
+        params: {
+          message: 'MCP token can only be generated from a USER token',
+        },
+      });
+    }
 
     const secret = await jwtUtils.getJwtSecret();